Android平台经常遇到sepolicy权限问题,log类似如下:

[  170.390794] type=1400 audit(1594061213.935:90): avc: denied { write } for comm="kworker/4:1" path="/dev/block/sda3" dev="tmpfs" ino=50 scontext=u:r:kernel:s0 tcontext=u:object_r:device_a:s0 tclass=blk_file permissive=0

不允许kernel对/dev/block/sda3直接写,这里device_a已经定义过了,找到kernel.te,添加如下:

allow kernel device_a:blk_file {read write};

ok,此时没有编译过整个系统,编译刷入bootimage没生效,难道要编译刷入整个系统?答案是不需要。

既然是build相关,以下参考Android 10,其他应该差不多,我们先进./system/sepolicy看下Android.mk:

# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := vendor_sepolicy.cil //tj
LOCAL_MODULE_CLASS := ETC
...
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux

这个sepolicy最终会编译成vendor_sepolicy.cil, 生成路径在$(TARGET_OUT_VENDOR):

TARGET_OUT_VENDOR := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_VENDOR)
TARGET_COPY_OUT_VENDOR := vendor
PRODUCT_OUT := $(TARGET_PRODUCT_OUT_ROOT)/$(TARGET_DEVICE)

TARGET_PRODUCT_OUT_ROOT := $(TARGET_OUT_ROOT)/product 
TARGET_OUT_ROOT := $(OUT_DIR)/target

ok,这个路径基本就是out/target/product/xxx/vendor/etc/selinux/vendor_sepolicy.cil, xxx是$(TARGET_DEVICE), rt?

手机里也有这个文件,直接替换即可。还不会的可以参考下面验证方法: